User Tools

Site Tools

Table of Contents

Using keychain with SSH

If you use ssh's built in public-key/private-key passwordless authentication with an encrypted private key, you may find it annoying to enter the private key password in all the time. ssh-agent provides some releaf for the problem, but not to as far an extent as we would hope. So, the nice folks at IBM created keychain.

Overview

keychain runs the first time you open a prompt on a system, and remembers your private key password for you so you only have to enter it once per login session on your local machine. Further, we will setup ssh auth forwarding, so if you chain logins from remote systems in the physics/astronomy cluster, you still will not need to enter your password. All while still being very secure.

I will assume for this document you are using bash. If you are using tcsh you must adapt the instructions to its login scripts and such.

Working keys

If you don't already have public/private key auth setup, use the following command to create one:

ssh-keygen -t rsa

When it prompts you for a password, enter one (different from your physics account password) to encrypt the key on disk. Save it in the default ~/.ssh/id_rsa location

After that, add your public key to the authorized_keys file:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

From this point, you should be able to try sshing to another system (physics.umn.edu for example) and will be prompted for your new rsa private key password, instead of your account password. Make sure this is working before you continue.

Now if you log out and back in to x, you should get prompted the first time you open a command shell for your private key. After that you can ssh anywhere and through multiple systems without being asked your password again. (you may have to kill ssh-agent and then restart x for changes to take effect)